Qualys, Inc. (NASDAQ: QLYS), a leading provider of cloud-based IT, security and compliance solutions, today released a new research report, The Broken Physics of Remediation, revealing how exploitation timelines are outpacing human-scale remediation, and why traditional patch metrics can no longer describe true business exposure.

Conducted by the Qualys Threat Research Unit (TRU) and drawing on more than one billion CISA KEV remediation records across more than 10,000 organisations over four years (2022–2025), the report quantifies the widening gap between attacker exploitation speed and defender remediation speed. The volume of closed vulnerability events grew 6.5x in four years – from approximately 73 million in 2022 to 473 million in 2025 – highlighting a structural limit that no amount of staffing, process maturity, or executive urgency can overcome.

“In an era where adversaries increasingly operate at machine speed, any architecture that depends on human-speed response carries structural risk,” said Sumedh Thakar, president and CEO at Qualys. “The average Time-to-Exploit has collapsed to negative one day with adversaries weaponising vulnerabilities before patches even exist. The mandate is clear. We must match autonomous offense with autonomous defense. This requires a foundational architectural shift away from reactive human triage and toward a Risk Operations Centre (ROC) that fuses embedded intelligence, deterministic confirmation of actual exploitability, and autonomous remediation into a single operational loop.”

Key findings from The Broken Physics of Remediation report:

-            Insight 1: Vulnerability volumes exponentially outpace manual capacity

Closed vulnerability events grew 6.5x from 73M in 2022 to 473M in 2025 – proof that remediation demand is scaling faster than teams can realistically respond.

-            Insight 2: Exploitation now precedes disclosure

The average Time-to-Exploit collapsed to -1 days, meaning adversaries routinely compromise systems before vulnerabilities are even publicly disclosed. 

-            Insight 3: Manual remediation is too slow

Despite processing more tickets, security teams left 63% of critical vulnerabilities open at Day 7 in 2025, a deterioration from 56% in 2022 that highlights the failure of human-scale remediation.

-            Insight 4: MTTR hides the true exposure window

With attackers exploiting vulnerabilities before disclosure, mean time to remediate (MTTR) (measured from Day 0) can obscure true business risk exposure. Qualys introduces Average Window of Exposure (AWE) that captures the time from exploitation to remediation. With AWE, Qualys found 85% of vulnerable assets unpatched at disclosure, 33% still open at 21 days and 12% exposed after 90 days.

-            Insight 5: Zero-Day weaponisation dominates critical threats

Out of 52 actively weaponised vulnerabilities analysed, half were exploited before public disclosure, and 88% were remediated slower than they were exploited. Manual processes drag average closure times 4-5x beyond the median.

-            Insight 6: Less than 1% actually matters

Out of 48,172 vulnerabilities disclosed in 2025, only 357 (0.74%) were remotely exploitable and actively weaponised, underscoring the necessity of risk-based prioritisation frameworks to isolate genuine threats and operationalise automated remediation. Edge devices (firewalls, VPNs, gateways) carry the highest strategic risk per vulnerability.

“Adversaries do not innovate; they repeat what works. The path of least resistance has shifted from the endpoint to the edge and from there, deeper into the enterprise software organisations implicitly trust — where the manual tax is highest and exposure windows are longest,” said Saeed Abbasi, head of the Qualys Threat Research Unit (TRU). "What is emerging now is not another platform shift. It is the first time the adversary itself is becoming autonomous. The defensive side must make the same transition — and this report measures the cost of every day the transition is delayed.”

To read the full report, you can download it here.

###

About Qualys

Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of disruptive cloud-based security, compliance and IT solutions with more than 10,000 subscription customers worldwide, including a majority of the Forbes Global 100 and Fortune 100. Qualys helps organisations streamline and automate their security and compliance solutions onto a single platform for greater agility, better business outcomes, and substantial cost savings.